CVE-2015-5346: XSS
First published: Tue Feb 23 2016(Updated: )
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tomcat | <7.0.67 | 7.0.67 |
| redhat/tomcat | <8.0.32 | 8.0.32 |
| maven/org.apache.tomcat:tomcat | >=7.0.0<=7.0.65 | 7.0.66 |
| maven/org.apache.tomcat:tomcat | >=8.0.0.RC1<=8.0.30 | 8.0.31 |
| maven/org.apache.tomcat:tomcat | =9.0.0.M1 | 9.0.0.M2 |
| Apache Tomcat | =7.0.0-beta | |
| Apache Tomcat | =7.0.2-beta | |
| Apache Tomcat | =7.0.4-beta | |
| Apache Tomcat | =7.0.5-beta | |
| Apache Tomcat | =7.0.6 | |
| Apache Tomcat | =7.0.10 | |
| Apache Tomcat | =7.0.11 | |
| Apache Tomcat | =7.0.12 | |
| Apache Tomcat | =7.0.14 | |
| Apache Tomcat | =7.0.16 | |
| Apache Tomcat | =7.0.19 | |
| Apache Tomcat | =7.0.20 | |
| Apache Tomcat | =7.0.21 | |
| Apache Tomcat | =7.0.22 | |
| Apache Tomcat | =7.0.23 | |
| Apache Tomcat | =7.0.25 | |
| Apache Tomcat | =7.0.26 | |
| Apache Tomcat | =7.0.27 | |
| Apache Tomcat | =7.0.28 | |
| Apache Tomcat | =7.0.29 | |
| Apache Tomcat | =7.0.30 | |
| Apache Tomcat | =7.0.32 | |
| Apache Tomcat | =7.0.33 | |
| Apache Tomcat | =7.0.34 | |
| Apache Tomcat | =7.0.35 | |
| Apache Tomcat | =7.0.37 | |
| Apache Tomcat | =7.0.39 | |
| Apache Tomcat | =7.0.40 | |
| Apache Tomcat | =7.0.41 | |
| Apache Tomcat | =7.0.42 | |
| Apache Tomcat | =7.0.47 | |
| Apache Tomcat | =7.0.50 | |
| Apache Tomcat | =7.0.52 | |
| Apache Tomcat | =7.0.53 | |
| Apache Tomcat | =7.0.54 | |
| Apache Tomcat | =7.0.55 | |
| Apache Tomcat | =7.0.56 | |
| Apache Tomcat | =7.0.57 | |
| Apache Tomcat | =7.0.59 | |
| Apache Tomcat | =7.0.61 | |
| Apache Tomcat | =7.0.62 | |
| Apache Tomcat | =7.0.63 | |
| Apache Tomcat | =7.0.64 | |
| Apache Tomcat | =7.0.65 | |
| Apache Tomcat | =8.0.0-rc1 | |
| Apache Tomcat | =8.0.0-rc10 | |
| Apache Tomcat | =8.0.0-rc3 | |
| Apache Tomcat | =8.0.0-rc5 | |
| Apache Tomcat | =8.0.1 | |
| Apache Tomcat | =8.0.3 | |
| Apache Tomcat | =8.0.11 | |
| Apache Tomcat | =8.0.12 | |
| Apache Tomcat | =8.0.14 | |
| Apache Tomcat | =8.0.15 | |
| Apache Tomcat | =8.0.17 | |
| Apache Tomcat | =8.0.18 | |
| Apache Tomcat | =8.0.20 | |
| Apache Tomcat | =8.0.21 | |
| Apache Tomcat | =8.0.22 | |
| Apache Tomcat | =8.0.23 | |
| Apache Tomcat | =8.0.24 | |
| Apache Tomcat | =8.0.26 | |
| Apache Tomcat | =8.0.27 | |
| Apache Tomcat | =8.0.28 | |
| Apache Tomcat | =8.0.29 | |
| Apache Tomcat | =9.0.0-milestone1 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =15.10 | |
| Ubuntu Linux | =16.04 | |
| Debian GNU/Linux | =7.0 | |
| Debian GNU/Linux | =8.0 | |
| Apache Tomcat | =9.0.0-m1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
- http://packetstormsecurity.com/files/135890/Apache-Tomcat-Session-Fixation.html
- http://rhn.redhat.com/errata/RHSA-2016-1089.html
- http://rhn.redhat.com/errata/RHSA-2016-2046.html
- http://rhn.redhat.com/errata/RHSA-2016-2807.html
- http://rhn.redhat.com/errata/RHSA-2016-2808.html
- http://seclists.org/bugtraq/2016/Feb/143
- http://svn.apache.org/viewvc?view=revision&revision=1713184
- http://svn.apache.org/viewvc?view=revision&revision=1713185
- http://svn.apache.org/viewvc?view=revision&revision=1713187
- http://svn.apache.org/viewvc?view=revision&revision=1723414
- http://svn.apache.org/viewvc?view=revision&revision=1723506
- http://tomcat.apache.org/security-7.html
- http://tomcat.apache.org/security-8.html
- http://tomcat.apache.org/security-9.html
- http://www.debian.org/security/2016/dsa-3530
- http://www.debian.org/security/2016/dsa-3552
- http://www.debian.org/security/2016/dsa-3609
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
- http://www.securityfocus.com/bid/83323
- http://www.securitytracker.com/id/1035069
- http://www.ubuntu.com/usn/USN-3024-1
- https://access.redhat.com/errata/RHSA-2016:1087
- https://access.redhat.com/errata/RHSA-2016:1088
- https://bto.bluecoat.com/security-advisory/sa118
- https://bz.apache.org/bugzilla/show_bug.cgi?id=58809
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://security.gentoo.org/glsa/201705-09
- https://security.netapp.com/advisory/ntap-20180531-0001/
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2015-5346
- https://web.archive.org/web/20160321234551/http://www.securitytracker.com/id/1035069
- https://web.archive.org/web/20160912063818/http://www.securityfocus.com/bid/83323
- https://github.com/advisories/GHSA-jrcp-c39h-r29x (Advisory)
- https://rhn.redhat.com/errata/RHSA-2016-1089.html
- https://rhn.redhat.com/errata/RHSA-2016-2046.html
- https://rhn.redhat.com/errata/RHSA-2016-2808.html
- https://rhn.redhat.com/errata/RHSA-2016-2807.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1311085
- https://github.com/apache/tomcat/commit/04164c1f01b973e548d95511d417f414ca723cb8
- https://github.com/apache/tomcat/commit/6287be37d8d06c320215c45f7e2b8380411692e0
- https://github.com/apache/tomcat/commit/83679b99cd40caa401d173c8f8e72fc98eb5d5be
- https://github.com/apache/tomcat80/commit/41fbee7ba15435a831f765597ff907c56ebf2169
- https://github.com/apache/tomcat80/commit/c39b7ffc2145644f7f3cf9e3cd4aada5048e56a0
- https://security.netapp.com/advisory/ntap-20180531-0001
Frequently Asked Questions
What is the severity of CVE-2015-5346?
CVE-2015-5346 is classified as a medium severity vulnerability due to its potential to allow remote session hijacking.
How do I fix CVE-2015-5346?
To mitigate CVE-2015-5346, upgrade Apache Tomcat to versions 7.0.67, 8.0.32, or 9.0.0.M2 or later.
Which versions of Apache Tomcat are affected by CVE-2015-5346?
CVE-2015-5346 affects Apache Tomcat versions 7.x prior to 7.0.66, 8.x prior to 8.0.30, and 9.x prior to 9.0.0.M2.
What types of attacks are possible with CVE-2015-5346?
CVE-2015-5346 allows attackers to hijack user sessions through session fixation attacks.
Is CVE-2015-5346 exploitable in all configurations of Tomcat?
CVE-2015-5346 is exploitable when different session settings are used for multiple deployments of the same web application.
- agent/first-publish-date
- agent/type
- agent/severity
- agent/author
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-5346
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jrcp-c39h-r29x
- agent/references
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/redhat
- package-manager/maven
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/7.0.0-beta
- version/apache tomcat/7.0.2-beta
- version/apache tomcat/7.0.4-beta
- version/apache tomcat/7.0.5-beta
- version/apache tomcat/7.0.6
- version/apache tomcat/7.0.10
- version/apache tomcat/7.0.11
- version/apache tomcat/7.0.12
- version/apache tomcat/7.0.14
- version/apache tomcat/7.0.16
- version/apache tomcat/7.0.19
- version/apache tomcat/7.0.20
- version/apache tomcat/7.0.21
- version/apache tomcat/7.0.22
- version/apache tomcat/7.0.23
- version/apache tomcat/7.0.25
- version/apache tomcat/7.0.26
- version/apache tomcat/7.0.27
- version/apache tomcat/7.0.28
- version/apache tomcat/7.0.29
- version/apache tomcat/7.0.30
- version/apache tomcat/7.0.32
- version/apache tomcat/7.0.33
- version/apache tomcat/7.0.34
- version/apache tomcat/7.0.35
- version/apache tomcat/7.0.37
- version/apache tomcat/7.0.39
- version/apache tomcat/7.0.40
- version/apache tomcat/7.0.41
- version/apache tomcat/7.0.42
- version/apache tomcat/7.0.47
- version/apache tomcat/7.0.50
- version/apache tomcat/7.0.52
- version/apache tomcat/7.0.53
- version/apache tomcat/7.0.54
- version/apache tomcat/7.0.55
- version/apache tomcat/7.0.56
- version/apache tomcat/7.0.57
- version/apache tomcat/7.0.59
- version/apache tomcat/7.0.61
- version/apache tomcat/7.0.62
- version/apache tomcat/7.0.63
- version/apache tomcat/7.0.64
- version/apache tomcat/7.0.65
- version/apache tomcat/8.0.0-rc1
- version/apache tomcat/8.0.0-rc10
- version/apache tomcat/8.0.0-rc3
- version/apache tomcat/8.0.0-rc5
- version/apache tomcat/8.0.1
- version/apache tomcat/8.0.3
- version/apache tomcat/8.0.11
- version/apache tomcat/8.0.12
- version/apache tomcat/8.0.14
- version/apache tomcat/8.0.15
- version/apache tomcat/8.0.17
- version/apache tomcat/8.0.18
- version/apache tomcat/8.0.20
- version/apache tomcat/8.0.21
- version/apache tomcat/8.0.22
- version/apache tomcat/8.0.23
- version/apache tomcat/8.0.24
- version/apache tomcat/8.0.26
- version/apache tomcat/8.0.27
- version/apache tomcat/8.0.28
- version/apache tomcat/8.0.29
- version/apache tomcat/9.0.0-milestone1
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/14.04
- version/ubuntu linux/15.10
- version/ubuntu linux/16.04
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/7.0
- version/debian gnu/linux/8.0
- version/apache tomcat/9.0.0-m1